Penetration testing and vulnerability assesment is a practice that every day becomes more important to our businesses. Today we need to make security stress tests in order to discover potential vulnerabilities that may exist in our systems.
Many times we get a wide range of heterogeneous pricing for the same service, prices may vary from less than a thousand dollars to over 20K for the same test. Then one of the main dilemmas for companies is how to evaluate the offers and get the right price.
Who are the bests?
Penetration tests are usually a part of the IT world that has been tryed to be formalized and industrialized, however, in my experience, the pentesting is an art, the best are not those who run a script and simply repetitively understand and explain the results (eg nessus), the best are those who have the ability to:
- Think as: the sysadmin / the programmer / the user
- Integrate multiple skills and techniques in the same attack to reach the objective
- Develop their own techniques and software
This is not necessarily tied to certifications. There are few certifications that truly measure skills rather than knowledge. For example OSCP / OSCE is designed to assess the skills more than knowledge. In this topic, knowing the theory does not guarantee anything.
Which factors influence the price?
Many companies avoid the problem by charging for IP address, or even for revised website. In my opinion, this is being mediocre.
To understand the price, you need to make an equation with the following parameters:
- Penetration Testing Methodology: There are several methodologies for penetration testing (blind, double-blind, blackbox, whitebox, greybox, and so), pricing at a blackbox for example can be bounded in time or bounded in dimension. There are some penetration testers who bound the pentests in time when the audited platform are massive. They only report what found more relevant. This is required by some companies to avoid the high cost and huge time requirments of the test. I particularly disagree with this practice. If a platform is huge, it is logical to consider the number of pentesters to test the systems. Auditing a platform by it parts does not bring you the same results that auditing the whole thing.
- Auditors Expertise: the first factor that affects the price is the pentester skills. This will impact directly on the quality of the result. A Least Valued Pentester , someone that just know how to run a third party scan and will never try harder have sense in this market: Companies where the risk of a cyber attack is very low, and where information and assets are inexpensive too. Instead, a Most Valued Pentester makes sense where the threat of being attacked is high (eg banks, insurance companies, public services, state institutions, etc.).
- Audited Technology: The audited technology is a factor that often influences the price of the test. If the technology is rare, it is likely that the pentester have to study it thoroughly, and if so, you have two options, either hire someone specialized in this platform, which by supply and demand will be a high cost asset or pay more hours to a average pentester that could make a fast track on your platform.
- Test Difficulty: In an incremental model, tests of increasing difficulty as the systems are hardened. In theory early tests are designed to find the most obvious vulnerabilities. Then, in subsequent tests, it is expected that the client has fixed these vulnerabilities, therefore, finding a vulnerability will take more time and require more skilled staff, and probably giving you fewer results. Finally, tests usually reach a point where you will show just what you have introduced in new systems, and belonging to newly discovered vulnerabilities.
- Platform Size: Size is a factor, however, this should be translated in time, and is not lineal. Checking 10 hosts is not the same that checking a hundred… Checking 10 webforms is not the same that checking a hundred. However, do not expect that if you charge 1 usd per webform for a 100 forms platform, then we will charge the same 10 usd for a 10 forms web application. To introduce why this is not a linear equation, rather a linear equation, the price behaves like a logarithm function. The early forms to check usually are the most expensive ones because it requires more time. The other ones, the pentester will be familiar to the way that the system were designed, the way that system works and so.
- Heterogeneity of the platform: This factor is not usually linear too. An hererogeneous platform is usually more likely to have exploitable flaws that an homogenous one. This will reduce the time to get the first flaw, however, in a heterogeneous platform the pentester will require more time to adapt to each system. In the end, this always means more time spent to check all the platform.
- Coding hours: Sometimes the hacker must code their own tools, commonly occurs for example, when the audited system does not allow a regular automated auditing tool (the pentester may have to code an exploit, or code an evasion technique, or maybe a fuzzer that meet the input requirement for a website, or maybe to break a home made algorithm).
- Research Time: Research is very important. Many times, in order to better understand the current platform settings, the auditor may choose to perform offline replicas of the platform you’re using. Think as the sysadmin to get the common point of failure is almost mandatory for a high quality pentest. Other research can be performed directly on the installed software to achieve zero-day flaws that can be exploited by others hackers. This is important for large companies because companies need to defend everything that can perform other malicious hacker.
- Documentation Time: The hours of writting the report is essential, it consumes a lot of time, almost regardless of the difficulty required to execute a successful attack, this is directly proportional to the size of the platform. If there are 100 hosts, you may have to explain what was achieved in each host. In general you have to report to the customer each of the tests performed on each of the URLs and Host that have throwed any result. However, when the findings are not so great, it is preferable to extend the report and include what kind of tests were performed in detail.
- Offline Testing Time: Many times it happens that part of the test is to be done at home/offices. For example, planning the strategy between pentesting sessions is very important and should not be underestimated. Another process that require offline work is the analysis of stolen source codes (many times the pentester have the ability to retrieve your application source code. Analyzing that, will give the hacker more tools to perform a sucessfull attack), another is the review and analysis of vulnerability scans, among others.
- CPU/GPU cracking Time: Something that nobody usually list, but is very important, is the time consumed in parallel to decode hashes and keys obtained during the test. These hours, usually overnight, give an important added value to the test. This enable the hacker to perform escalation and navigation attacks. However, these cracking platforms costs money (hardware, electricity, rent, setup, and usage).
- Diem: If you decided you need a very smart pentester, it is very possible that this pentester is not naturally in your area. You must pay any travel expenses, which is a compilation of many things, for example, hotel or home, food, transportation, internet and other things that the pentester requires.
- Transportation Time: If you choose for “privacy and/or security”, and your company does not allow a remote analysis of it internal platform, you should pay the costs of transportation. Transportation means that you are consuming the time of the auditor while he is moving from his house/hotel to your facilities. If you are suprised by that, your should consider that leaving his regular site offices involves loss of valuable time. The pentester during his daily work make VPN based pentesting, documentation, research, contributions, developments, and even prepares himself to give you a better service.
- Assistants: Depending on the test, the company may introduce assistants to the group in order to perform work that require less technical level, reduce delivery time, and save costs of an expensive resource.
- Acquisition of licenses: The pentesters reduce time and improve their results using tools that assist them in their various tasks. Many of these tools have a cost, and it is usual that the cost is transferred to the customer.
- Advanced and specialized hardware: Usually the pentester may opt for the use of advanced equipment to make their tests. Such equipment tends to fastly depreciate in time and become obsolete as new technologies are adopted, therefore, the cost of these is diluted among few customers. For example, high gain WiFi antennas, special WiFi network cards with high power levels, and equipment capable of running several virtualized environments, high capacity disks to store the data/information obtained, as well as rainbow tables storage, Smart Cards Reader/Writers, Counterfeiting equipment (if required to supplement social engineering), mobile internet modems, software defined radios to attacks on mobile networks, bluetooth penetration equipment, etc..
- Business expenses: The firm representing the pentester performs much of the work the pentester should not perform. For example, legal assistance, generation and signing contracts, finding customers, pentesters management, administrative tasks
How to choose my pentester?
The answer is simpler than it seems. Answer the following questions and understand what you need:
- The worth of the information handled by your organization?
- What would be the cost of an attack to your plattform?
- The cost of some malicous modification of your databases
- cost of organization secrets theft
- reputational cost
- How attractive you are to an attacker?
This gives a short matrix. If your information has no value and you are not prone to be attacked, it is preferable to get checked with a scanner. Possibly it does not worth to be checked by an expert
Otherwise, is important to get the necessary number of experts and not skimp on prices.